What is claimed is: 

1 . A method for seamless hand-off of a mobile device between access points, 
comprising: pre-configuring a mobile station with higher-layer information for at least 
one new candidate IP subnetwork while said mobile station is configured for 
communications with a present IP subnetwork. 

2. The method of claim 1 , further including the mobile station sending or receiving 
packets through the candidate IP subnetwork before a handoff is performed to a first of 
said at least one new IP subnetwork. 

3. A method for minimizing interruption in handoff of a mobile station between 
access points in current and new subnetworks, comprising: obtaining pre- 
authentication for a mobile station that has a single wireless interface to work over an 
access point in at least one new subnetwork before dissociating with an access point 
in the current subnetwork. 

4. The method of claim 3, further including carrying said pre-authorization over an 
IP layer. 

5. The method of claim 4, further including carrying 802.1 X over IP. 

6. A method, comprising: 

resolving an IP address of an access point in a new subnetwork when a mobile 
station is in a current subnetwork; and 

obtaining pre-authentication for the mobile station to work over the current and 
new subnetworks using said IP address. 

7. The method of claim 6, wherein said resolving includes a dynamic resolution of 
the IP address. 
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8. The method of claim 7, wherein the dynamic resolution includes having an 
access point beacon or probe response include an IP address. 

9. The method of claim 7, wherein the dynamic resolution includes using a CARD 
mechanism for dynamic resolution. 

10. The method of claim 6, wherein said resolving includes a static resolution of the 
IP address. 

1 1 . The method of claim 10, wherein said static resolution includes using DHCP for 
carrying a list of pairs of the MAC addresses and IP addresses for at least one nearby 
AP. 

12. The method of claim 10, wherein said static resolution includes using EAP-TLV 
for carrying a list of pairs of the MAC addresses and IP addresses for at least one 
nearby access point. 

13. The method of claim 6, wherein said access point in the new subnetwork does 
not support higher-layer pre-authentication and communicates with the mobile station 
via a proxy agent and said IP address is of said proxy agent. 

14. The method of claim 13, wherein the proxy agent uses the MAC address of the 
mobile station. 

15. The method of claim 13, wherein said access point in the new subnetwork 
communicates IEEE 802. 1X frames to the mobile station via the proxy agent. 

16. The method of claim 13, wherein the mobile station's MAC address is carried in 
a payload of higher-layer packets. 
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17. The method of claim 6, wherein said access point in the new subnetwork 
supports higher-layer pre-authentication and communicates with the mobile station. 

18. The method of claim 17, wherein the said access point in the new subnetwork 
communicates with the mobile remote station by using a higher-layer protocol that 
carries 802. 1X frames. 

19. The method of claim 18, further including carrying 802. 1X frames and 
maintaining order invariance of EAP messages. 

20. The method of claim 18, further including using PANA for carrying EAP 
messages. 

21 . The method of claim 18, further including using IKEv2 for carrying EAP 
messages. 

22. The method of claim 18, further including using a newly defined protocol to 
carry 802. 1x frames over a reliable transport. 

23. The method of claim 22, wherein the reliable transport uses TCP. 

24. A method comprising, reducing handoff delay of a mobile station by pre- 
establishing higher-layer contexts prior to handoff based on higher-layer pre- 
authentication. 

25. The method of claim 24, wherein said higher-layer contexts include a client IP 
address in a new network. 

26. The method of claim 25, wherein said higher-layer contexts include a network 
address of the new network. 
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27. The method of claim 26, wherein said higher-layer contexts include a subnet 
mask of the new network. 

28. The method of claim 24, further including securing messages used for pre- 
establishing higher-layer contexts. 

29. The method of claim 28, further including using a higher-layer authentication 
protocol for deriving cipher keys for protecting higher-layer pre-configu ration 
messages. 

30. The method of claim 24, further including performing layer-2 pre-configuration 
by using 802. 1X pre-authentication and 802. 1X over IP. 

31 . The method of claim 24, further including using a single higher-layer 
authentication protocol for pre-establishing a plurality of the higher-layer contexts. 

32. The method of claim 31 , further including using IKE or IKEv2 for pre- 
establishing a plurality of the higher-layer contexts. 

33. The method of claim 31 , further including using PANA and IKE or IKEv2 for pre- 
establishing a plurality of the higher-layer contexts. 

34. The method of claim 24, further including establishing an IPsec tunnel between 
the mobile station and an access point in a new subnetwork for redirecting traffic for a 
pre-configured IP address of the mobile station to a currently attached subnetwork. 

35. A method for performing a handoff of a mobile station between access points in 
different access networks with minimal interruption and with maintained security, 
comprising: pre-establishing higher-layer contexts for the mobile station prior to 
handoff and securely redirecting traffic originated from or destined for a pre- 
established IP address to a new access network. 
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36. The method of claim 35, further including establishing an IPsec tunnel between 
the mobile station and an access router in the new access network, where an IPsec 
tunnel inner address is bound to the pre-established IP address. 

37. The method of claim 35, wherein an access router in the new access network is 
used as a temporal home agent with which a client device registers its pre-established 
IP address as a home address and the IP address assigned in a physically attached 
network as the care-of address. 

38. A method comprising: performing higher-layer pre-authentication, pre- 
configuration and data traffic redirection to reduce or eliminate timing dependency of a 
higher-layer handoff on a lower-layer handoff of a mobile station between access 
networks. 

39. The method of claim 38, wherein said higher-layer handoff is a mobile IP 
handoff. 

40. The method of claim 38, wherein said higher-layer handoff is a VPN handoff. 

41 . The method of claim 38, wherein the higher-layer handoff includes an OSI 
network layer handoff. 

42. The method of claim 38, further including initiating the higher-layer handoff 
earlier than the lower-layer handoff. 

43. The method of claim 42, further including completing the higher layer handoff 
entirely before the lower layer handoff. 

44. A method comprising: performing a virtual soft handoff of a mobile device 
between access points in proximate networks or subnetworks to minimize 
communication interruption by allowing the mobile device to send and receive packets 
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from a new one of said access points prior to handoff. 

45. The method of claim 44, further including performing a higher layer handoff 
entirely before a lower layer handoff. 

46. The method of claim 44, further including further reducing communication 
interruption using a lower-layer CDMA soft handoff. 

47. The method of claim 44, further including controlling a layer-2 handoff timing by 
a higher layer so that pre-authentication and pre-configu ration can be completed prior 
to starting layer-2 handoff. 

48. The method of claim 44, further including using an IPsec tunnel for traffic 
redirection during a virtual soft-handoff, with outer and inner IP addresses of a device 
for the IPsec tunnel being a care-of address in the current subnet and the care-of 
address in a new subnet, respectively. 

49. The method of claim 48, further including deleting the established IPsec tunnel 
prior to performing a layer-2 handoff. 

50. The method of claim 44, further including using an IPsec tunnel for all traffic. 

51 . The method of claim 50, further including deleting an established IPsec tunnel 
prior to performing a layer-2 handoff. 

52. The method of claim 44, wherein said mobile device is a mobile telephone. 

53. The method of claim 44, wherein said mobile device is a mobile computer. 

54. The method of claim 44, wherein said mobile device is a PDA. 
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55. A mobile communications network node, comprising: 

a) a transceiver; 

b) means for sending or receiving a network address to or from another mobile 
communications network node in a different network or subnetwork for higher-layer 
pre-authentication between said mobile communications network node and said 
another mobile communications network node while said nodes are in the different 
networks or subnetworks. 

56. The mobile communications node of claim 55, wherein said mobile 
communications network node is a mobile node. 

57. The mobile communications node of claim 55, wherein said mobile 
communications network node is an access point or router. 

58. The mobile communications node of claim 56, further including means for 
storing higher-layer contexts for a security association with said another mobile 
communications network node while said nodes are in the different networks or 
subnetworks. 

59. The mobile communications node of claim 56, further including means for 
establishing higher-layer contexts with said another mobile communications network 
node while said nodes are in the different networks or subnetworks. 

60. The mobile communications node of claim 59, further including means for 
performing a virtual soft handoff between the different networks or subnetworks by 
allowing a mobile one of said nodes to send or receive traffic to the other of said nodes 
prior to handoff. 
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